Date: Thu, 14 Apr 2005 12:59:49 +1000 From: Andrew Reilly <andrew-freebsd@areilly.bpc-users.org> To: freebsd-stable@freebsd.org Subject: Misleading security message output Message-ID: <20050414025949.GA94683@gurney.reilly.home>
next in thread | raw e-mail | index | archive | help
I had an interesting experience, this morning. The nightly security message from a CVS server machine that runs a version of FreeBSD-4 had arrived, and it claimed that someone who hadn't done any work for us for some considerable time had had three failed login attempts, late that night. Curious. After much hunting around, and checking perimeter logs, it turned out that nothing of the sort had happened. The security log script had been fooled by the age of the messages.0.gz file, which contained messages from more than a year ago. The search pattern "$yesterday" doesn't contain a year, because log file timestamps don't contain years. The log file was so old because rotation is determined by size, and this machine simply doesn't have much to log, despite being used daily. It never goes down, and is basically completely stable. This could be avoided, perhaps, with a NetBSD-style backup/diff mechanism, or (incompatibly) with daemontools/multilog-style 64-bit time stamps in the log files. It can be worked-around by forcing faster log-file rotations, now that I know about the problem. I can't think of a really good widely-applicable solution, using the existing framework, though. Suggestions? -- Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050414025949.GA94683>